pfSense

Return after setting account expired

Honor account expiration

create a config include that just presents $config to the webgui (no boot code being parsed anymore in webgui now)

Add pfSense_BUILDER_BINARIES: and pfSense_MODULE: additions

We need to be RW to modify user information.

Give admin user special treatment just like root.

• Move functions that output html to guiconfig.inc
• Remove some recursive dependency on some includes
• Remove ^M or \r from files
• Remove some entries from functions.inc to avoid including them twice
• Remove some unneccessary includes from some files
  ...

Remove ^M or \r from this file its impossible to read in vi.

Give proper rights to file when creating since php is run as root and might change permissions in dirs while modifying/creating them. Reported-by: http://forum.pfsense.org/index.php/topic,16890.0.html

Use -q to hopefully git rid of messages such as: pw: WARNING account 'admin' will have a valid id of 0 (superuser access!)

Use mwexec() so we do not see this error on fresh installation:

cp: /root/.. is a directory (not copied).
cp: /root/. is a directory (not copied).

Ensure $user_base directory exists and is writable. Kills ugly warning on
fresh installation.

Modify captive portal to use centralized user management. The user manager has
been modified to include an account expiration option to support this service.

Choose the correct parameter to popen so syncing of a group can work correctly.

Open a write pipe so we can be sure the password goes to the stdinput of the command. This should fix the ssh password problems reported on the forums.

Add missing /

When a new user home directory is created, copy the . (dot) root files.

Use a MFS /home on CD-Rom.

Backout last commit, /var/home is a symlinnk

Use /home, even for embedded

Only mount for rw during sync function.

Another missed needed conf_mount_rw().

Oops, we need to mount rw before creating home dir.

Hopefully unbreal the user manager on embedded.

See: http://forum.pfsense.org/index.php/topic,12567.0/topicseen.html

Add global debug where needed

Only show debug Running commands if $debug is enabled

Moves the protocol and certificate options out of the general config page
to the Advanced admin access tab. The thought is that they should be next
to each other. The certificate management has also been modified to use
the centralized certificate manager. I took the liberty of removing the...

Remove the page locking privileges after discussion with Scott on IRC. The
feature was confusing and offered little utility that I could see. If we
really need to provide serialized access to sections of the webui, IMO it
should be a global lock option and enabled or disabled manually and not a...

Now that we have given the mhash extension a bit of time to settle into
the tree, enable nthash password generation.

Silence warnings generated by pw during configuration update. Requested by
Scott.

Cleanup authentication code. The basic auth method, the passwd, htpasswd
and pam backing functions have been removed. The basic auth method was
legacy code and the backing functions were redundant with no added value
that I could see. A simplified replacement backing function named...

Add an option to set_local_group to clear the system user member list.

When performing a user configuration upgrade, make sure the all group gets
created before syncing accounts to the system.

Rewrite the pfsense privilege system with the following goals in mind ...

1) Redefine page privileges to not use static urls
2) Accurate generation of privilege definitions from source
3) Merging the user and group privileges into a single set
4) Allow any privilege to be added to users or groups w/ inheritance...

Rewrite portions of the user manager to ensure data is properly synced to
the system password and group databases. This is to provide better support
for centralized user management when local account administration is
preferred.

I also took this opportunity to do some housekeeping. A lot of funtions...

General whitespace and style cleanup of the auth.inc file. I was having a
hard time following some of the code logic due to poor formatting. There
should be no functional change.

Remove debug messages that gave away info on why the login failed
add failed and successful login messages to syslog

Remove dead code.

Latest LDAP round from Mark Batchelor
VS: ----------------------------------------------------------------------

Latest version of auth.inc from Mark Batchelor fixing a few misc
LDAP auth issues + local auth issues.

Latest LDAP changes from Mark Batchelor

• Remove trailing blank line
• Make sure $info has data before operating on it

• Remove trailing blank line
• Make sure $search has data before operating on it

Latest eDir / Active Directory tweaks from Mark Batchelor.

Thanks again for him helping us with this project!

Changes to allow Novell eDir to authenticate via LDAP.

Thanks to Mark Batchelor for all of his help with these changes.

Conditional checks use ==, not = !

Check that ldap_connect() exists before calling. For some reason on
bootup the function does not exist but the module is loaded?

• Missing =
• Allow user manager to adhere to admins group

Only check item if it is an array.

Correctly return no groups when the user is not a member of a local group.

Modify isSystemAdmin() to check LDAP for a "admins" group.

Remove the need to define authetnication containers. Now a user can login
anywhere in the LDAP tree and will use the groups to deterimine the access
privs.

Work sponsored-by: Centipede Networks

Only iterate items if it is an array.

Work sponsored-by: Centipede Networks

• Return OU=Users which is built-in to active directory
• Specify that LDAP is Active Directory compatible

Work sponsored-by: Centipede Networks

Correct variable check.

Adding LDAP Authentication container picker.

Work sponsored-by: Centipede Networks

Add Users containers setting where a ; seperated list of LDAP containers
can be specified to authenticate against. Final item will be a graphical
browser that can help the operator populate this box if they are feeling
lazy or do not understand LDAP completely....

Add LDAP test functions to verify that the LDAP settings are correct.
Return the OU's and show to the user after test completion.

Add ldap_get_user_ous() which will return an array of containers that hold
user objects. This will be used by the ldap settings manager to allow the
operator to specify which containers they would like to authenticate from.

Work sponsored-by: Centipede Networks <http://centipedenetworks.com/>

Ignore ldap items for locally defined users.

Work sponsored-by: Centipede Networks <http://centipedenetworks.com/>

• Allow LDAP users to login to pfSense.
• Cross reference Active Directory user groups with pfSense groups, apply
  groups where names match
• Clarify some of the settings items and give examples

• Refactor code a bit, split out user property search function
• Bring back filter code

Work sponsored-by: Centipede Networks

Allow multiple groups to be assigned per user.

Work sponsored-by: Centipede Networks

• Hide search base
• Use correct variable name

Work sponsored-by: Centipede Networks

Adding LDAP backend glue.

Work sponsored-by: Centipede Networks <http://centipedenetworks.com/>

• Correctly report invalid password
• Correctly report invalid username
• Correctly report 401 errors

Correctly show 401 errors.

Remove trailing space / cr

Backport usermanager code from HEAD so I can get it in the snaps and
start testing it properly
There's still some CSS/HTML fixes needed but the code seems to work

• Minior tab alignments
• We're in 2006, toto

• Eliminate dead code
• Fix warnings and errors found by eclipse

restore 1.10

Ticket #598

use admin user when using a special username

Correct comment

Terminate comment correctly

Pointy-hat-to: GeekGod

Duplicate logic to htpasswd_backed_basic_auth()

honour custom username set in webConfigurator page

honour custom username set in webConfigurator page

If there's a PHP_AUTH_* copy it over to AUTH_* (mini sets AUTH_*, lighttpd sets PHP_AUTH_*)

Change realm to .

Ticket #337

Remove trailing space

Better regexp
Courtesy-of: strgout

better regexp

md5's can have '/'s in them apparently...doh

ensure .htpasswd doesn't exist

split out auth types (system passwd vs htpasswd)
PHP_AUTH_* no longer exists, change code to use AUTH_* (I think this will be changing back as I believe we're using the wrong mini_httpd patches now)

Initial commit of PHP side authentication code for pfSense